__uacme*, __nginx: allow external ACME provider, EAB authentication

This commit is contained in:
fnux 2021-12-14 12:37:18 +01:00
parent 698525fcd2
commit a38275f6d7
No known key found for this signature in database
GPG key ID: 4502C902C00A1E12
9 changed files with 82 additions and 4 deletions

View file

@ -28,6 +28,16 @@ uacme-hookscript
Custom hook passed to the __uacme_obtain type: useful to integrate the
dns-01 challenge with third-party DNS providers.
acme-url
ACMEv2 server directory object URL. Lets'Encrypt is used by default.
acme-eab-credentials
Specify RFC8555 External Account Binding credentials according to
https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
ACME account with an existing account in a non-ACME system such as a CA
customer database. KEYID must be an ASCII string. KEY must be
base64url-encoded.
EXAMPLES
--------

View file

@ -36,6 +36,20 @@ then
set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
fi
set_custom_acme_url=
if [ -f "${__object:?}/parameter/acme-url" ];
then
custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
set_custom_acme_url="--acme-url $custom_acme_url"
fi
set_acme_eab_credentials=
if [ -f "${__object:?}/parameter/acme-eab-credentials" ];
then
acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials")
set_acme_eab_credentials="--eab-credentials $acme_eab_credentials"
fi
# Deploy simple HTTP vhost, allowing to serve ACME challenges.
__nginx_vhost "301-to-https-$domain" \
--domain "$domain" --altdomains "$altdomains" --to-https
@ -46,12 +60,18 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then
cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
fi
__uacme_account
# shellcheck disable=SC2086
__uacme_account \
$set_custom_acme_url \
$set_acme_eab_credentials \
# shellcheck disable=SC2086
require="__nginx_vhost/301-to-https-$domain __uacme_account" \
__uacme_obtain "$domain" \
--altdomains "$altdomains" \
$set_custom_uacme_hookscript \
$set_custom_acme_url \
$set_acme_eab_credentials \
--owner "$cert_ownership" \
--install-key-to "$nginx_certdir/$domain/privkey.pem" \
--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \

View file

@ -2,4 +2,6 @@ config
domain
altdomains
uacme-hookscript
acme-url
acme-eab-credentials
force-cert-ownership-to

View file

@ -18,6 +18,21 @@ then
admin_mail="$(cat "${__object:?}/parameter/admin-mail")";
fi
# Autoaccept ACME server terms (if any) upon new account creation.
uacme_opts="--yes"
# Non-default ACMEv2 server directory object URL.
if [ -f "${__object:?}/parameter/acme-url" ]; then
custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
uacme_opts="$uacme_opts --acme-url $custom_acme_url"
fi
# Specify RFC8555 External Account Binding credentials.
if [ -f "${__object:?}/parameter/eab-credentials" ]; then
eab_credentials=$(cat "${__object:?}/parameter/eab-credentials")
uacme_opts="$uacme_opts --eab $eab_credentials"
fi
confdir="${default_confdir:?}"
if [ -f "${__object:?}/parameter/confdir" ];
then
@ -27,6 +42,6 @@ fi
cat << EOF
if ! [ -f "${confdir}/private/key.pem" ];
then
uacme -y new ${admin_mail}
uacme $uacme_opts new ${admin_mail}
fi
EOF

View file

@ -23,6 +23,16 @@ confdir
admin-mail
Administrative contact email to register the account with.
acme-url
ACMEv2 server directory object URL. Lets'Encrypt is used by default.
eab-credentials
Specify RFC8555 External Account Binding credentials according to
https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
ACME account with an existing account in a non-ACME system such as a CA
customer database. KEYID must be an ASCII string. KEY must be
base64url-encoded. This is parameter is not supported by uacme < 1.6.
EXAMPLES
--------
@ -43,6 +53,7 @@ SEE ALSO
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
Timothée Floure <timothee.floure@posteo.net>
COPYING
-------

View file

@ -1,2 +1,4 @@
confdir
admin-mail
acme-url
eab-credentials

View file

@ -7,8 +7,8 @@ UACME_CHALLENGE_PATH=${CHALLENGEDIR:?}
export UACME_CHALLENGE_PATH
# Issue certificate.
uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${MUST_STAPLE?} ${KEYTYPE?} \\
issue -- ${DOMAIN:?}
uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${ACME_URL?} \\
${EAB_CREDENTIALS?} ${MUST_STAPLE?} ${KEYTYPE?} issue -- ${DOMAIN:?}
# Note: exit code 0 means that certificate was issued.
# Note: exit code 1 means that certificate was still valid, hence not renewed.

View file

@ -69,6 +69,22 @@ then
fi
export MUST_STAPLE
# Non-default ACMEv2 server directory object URL.
ACME_URL=
if [ -f "${__object:?}/parameter/acme-url" ]; then
custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
ACME_URL="--acme-url $custom_acme_url"
fi
export ACME_URL
# Specify RFC8555 External Account Binding credentials.
EAB_CREDENTIALS=
if [ -f "${__object:?}/parameter/eab-credentials" ]; then
eab_credentials_param=$(cat "${__object:?}/parameter/eab-credentials")
EAB_CREDENTIALS="--eab $eab_credentials_param"
fi
export EAB_CREDENTIALS
OWNER=root
if [ -f "${__object:?}/parameter/owner" ];
then

View file

@ -5,3 +5,5 @@ owner
install-cert-to
install-key-to
renew-hook
acme-url
eab-credentials